一个名为
token
的cookie将在Web表单应用程序成功登录事件上发出,共享给所有域,如*.maindomain.com
。现在,我想将自己的令牌验证方法与ASP.NET内置方法合并,以便在我的新MVC应用程序中可以使用
Authorize
和其他安全相关选项。在我的以前的应用程序中,我以以下方式开发了自定义用户验证系统。
首先,我有以下相关的SQL Server表 和以下类
public class Token
{
public static uint GenerateToken(string userEmail, string password, bool isPersistent)
{
// this static function generates a uint type unique token number
// and put this in the cookie "token" using HttpContext.Current.Response object.
// if isPersistent is set to true then cookie will be persistent otherwise not
// if there is any problem in creating token then it will throw an Exception with proper message
// Possible causes of not generating a token are
// 1. Invalid useremail or password
// 2. 'State' value in 'Member' table is 'EmailPending' or 'Suspended' (there is an enum for MemberState
}
public Token(uint tokenNo, bool validateImmediately = false)
{
// simply load token details with a few filed from member table from database
// Call validate function if validateImmediately is set to true
// Throws an exception if token does not exists in the database
}
public void Validate()
{
// Checks for everything like MemberState is Active and Token status is also Active and throws exception if anything wrong
// and then check (LastAccessedOn.AddSeconds(TokenLife) < AppSettings.Now) is not true
// Call UpdateStatus function with new token status and current page from HttpContext in comment parameter
}
public void UpdateStatus((TokenStatus newStatus, string comment = "")
{
// simply write both newStatus and Comment in Token table
// and remove the token cookie if newStatus is not set to Active
}
public uint TokenNumber { get; private set; }
public uint MemberNumber { get; private set; } // from Member table
public string Name { get; private set; } // from Member table
public MemberState MemberState { get; private set; } // from Member table
public string MemberEmail { get; private set; } // from member table
public uint BusinsessNo { get; private set; } // from Business table
public DateTime CreatedOn { get; private set; }
public DateTime LastAccessedOn { get; private set; }
public uint TokenLife { get; private set; } // from member
public string CreatedIP { get; private set; }
public string LastIP { get; private set; }
public bool IsPersistent { get; private set; }
public TokenStatus Status { get; private set; }
public string Comment { get; private set; }
public static Token Current
{
get
{
if (_t == null)
_t = new Token(uint.Parse(HttpContext.Current.Request.Cookies["token"].Value));
return _t;
}
}
private static Token _t;
}
public class Member
{
// all member related operations like new member, send verification email and verify email
}
为了登出用户,我只需调用UpdateStatus方法,如(TokenSatus.Closed, "User logged out")
。该方法会处理cookie的删除。
注意:Member类有一个属性bool IsAdmin
。你知道它是为什么的。
请为我提供在MVC应用程序中开发身份验证系统的最佳解决方案。我再次告诉你,像New User
、Account Recovery
和Email Verification
这样的选项将在我的之前的ASP.NET Web Forms应用程序中完成。我只需要将Token
类的Validate()
方法放在MVC应用程序的正确位置即可。我真的对互联网上提供的几个解决方案感到困惑。
Token.GenerateToken(...)
。每次请求时都需要验证登录。我只需使用来自token
cookie 的uint
值初始化Token
对象并调用Validate()
方法即可。Validate()
方法不返回任何内容。如果无法验证,则会抛出错误并删除 cookie,并更新新状态、最后访问时间和注释到数据库中。 - shashwat